FIDO2

identity

An open authentication standard that enables passwordless authentication using public key cryptography.

What is FIDO2?

FIDO2 consists of WebAuthn (web authentication API) and CTAP (client to authenticator protocol). When registering, the authenticator creates a public-private key pair, storing the private key securely on the device. During authentication, the authenticator signs a challenge with the private key, proving possession without transmitting any secrets. This makes FIDO2 immune to phishing, replay attacks, and credential theft.

In Microsoft 365

Microsoft 365 supports FIDO2 security keys as a primary authentication method. Users can register FIDO2 keys at aka.ms/mysecurityinfo, and Conditional Access policies can require FIDO2 authentication for specific scenarios using authentication strength.

Examples

1YubiKey 5 Series
2Google Titan Security Key
3Feitian ePass FIDO2
4Windows Hello with TPM

Related TrueConfig Controls

These controls help implement and verify fido2 in your Microsoft 365 environment.

PA-05Require Phishing-Resistant MFA for Admins PA-06Require FIDO2 Security Keys for Administrators ID-04Require Phishing-Resistant MFA for All Users

Frequently Asked Questions

What is FIDO2?▼

An open authentication standard that enables passwordless authentication using public key cryptography.

How does FIDO2 work in Microsoft 365?▼

What are examples of FIDO2?▼

Examples of FIDO2 include: YubiKey 5 Series, Google Titan Security Key, Feitian ePass FIDO2, Windows Hello with TPM.

Which TrueConfig controls relate to FIDO2?▼

TrueConfig controls related to FIDO2 include: PA-05, PA-06, ID-04. These controls help implement and verify fido2 in your environment.

Related Terms

Passkey

A FIDO2 credential that can be synced across devices, enabling passwordless authentication without hardware tokens.

Phishing-Resistant MFA

Authentication methods that cannot be intercepted or replayed by attackers through phishing attacks.

← Back to Glossary Browse Controls →